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[57] ABSTRACT 

A method for securing data and program code of an elec- 
tronic postage meter machine against manipulation, having 
a microprocessor in a control unit of the postage meter 
machine for implementing steps for a start and initiahzation 
routine and following system routine with a possibility of 
entering into a communication mode with a remote data 
central, as well as further input steps in order to enter into 
a franking mode from which a branch is made back into the 
system routine after the implementation of an accounting 
and printing routine, includes conducting a start security 
check within the framework of a start and initiahzation 
routine which runs before a secure printing data call routine 
and the following system routine for determining the valid- 
ity of a program code and/or of data in the predetermined 
memory location and of an appertaining MAC (message 
authentification code) that is present in the same storage 
medium. The check for valid program code and/or for 
validity of the data is implemented with a selected checksum 
method widiin an OTP (one time programmable) processor 
that internally receives the corresponding program parts. 
Transfer of the postage meter machine into the aforemen- 
tioned system routine takes place given vaUdity of the data 
or transfer of the postage meter machine into a first mode 
when the data are invalid, or when a specific manipulation 
criterion is met. Steps for preventing the franking or block- 
ing of the postage meter machine and/or steps for preventing 
a further program execution or a program branch exiting the 
OTP processor within the framework of system routine the 
occur. 

18 Claims, 10 Drawing Sheets 
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METHOD OF IMPROVING THE SECURITY 
OF POSTAGE METER MACHINES 

RELATED APPUCATION 

The present application is a continuation-in-part of U.S. 
application Ser. No. 08/346,909 filed Nov. 30, 1994 
("Method for Improving the Security of Postage Meter 
Machines," Windel et al.), filed under the provisions of 37 
C.F.R. §1.53, now U.S. Pat. No. 5,671,146. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention is directed to a method for improv- 
ing the security of postage meter machines capable of 
communicating with and, to a certain extent, controlled by, 
a remote central station. 

2. Description of the Prior Art 

In a form agreed upon with the postal authority in a 
country of usage, a postage meter machine generally pro- 
duces an impression flush right parallel to the upper edge of 
postal items to be franked matter, beginning with the content 
of a postal value in the postmark, date in the date stamp and 
mark impressions for advertising slogans and, potentially, 
the type of mailing in the optional mark. The postal value, 
the date and the type of mailing thereby form the variable 
information to be entered in conformity with the piece of 
mail. 

The postal value is usually the delivery fee (franking) 
pre-paid by the sender that is obtained from a refillable credit 
register and is employed for stamping the mail. In the 
current accouint method, by contrast, a register is merely 
incremented dependent on the frankings undertaken with the 
postal value and is read at regular intervals by a postal 
inspector. 

Fundamentally, every firanking that has been undertaken 
must charged to the user billed and every manipulation that 
leads to a non-charged franking must be prevented. 

A known postage meter machine is equipped with at least 
one input means, one output means, an input/output control 
module, a memory means that carries a program, data and, 
in particular, the accounting register, a control means and a 
printer module. Measures must also be undertaken given a 
printer module having a mechanical printing arrangement to 
insure that the printing mechanism cannot be misused for 
unbilled impressions when it is switched off. 

The invention is particularly directed to postage meter 
machines that deliver a fuUy electronically produced impres- 
sion for firanking postal matter, including the impression of 
an advertising slogan. This means that a valid firanking that 
is not accounted for must only be prevented when the 
machine is in the activated condition. 

In a postage meter machine disclosed in U.S. Pat. No. 
4,746,234, fixed and variable information are stored in 
memory means (ROM, RAM), which are then read these out 
with a microprocessor, when a letter actuates a microswitch 
on the conveying path preceding the printing position, in 
order to form a print control signal. The two types of data are 
subsequently electronically combined to form a printing 
format and can be printed on an envelope to be franked with 
a thermotransfer printing means. 

A method for controlling the column-by-column printing 
of a postage character is proposed in a postage meter 
machine (European Published Application 578 042) that 
combines fixed and variable data converted separately firom 
one another into graphic pixel image data during the 
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column-by-column printing. It would therefore be difficult 
to undertake a manipulation at the print control signal 
without significant and expensive outlay when the printing 
ensues at high speed. 
S On the other hand, the memory means comprises at least 
one non-volatile memory module that contains the currently 
remaining credit that results therefrom that the postage value 
to be respectively printed is subtracted from a credit previ- 
ously loaded into the postage meter machine. The postage 
10 meter machine inhibits when the remaining credit is zero. 

Known postage meter machines contain three relevant 
postal registers in at least one memory for consumed total 
value (incrementing register), remaining credits still avail- 
able (decrementing register), and a register for a checksum. 
The checksum is compared to the smn of used total value 
and available credit. A check for proper accounting is thus 
already possible. 

It is also possible to transmit reloading information to the 
postage meter machine from a central data station via a 
remote value prescription in order to reload a credit into the 
register for the remaining credit (remaining value). Security 
measures suitable for this type of transaction mnst be 
undertaken so that the credit stored in the postage meter 
machine cannot be replenished in an unauthorized way. The 
aforementioned solutions for protecting against misuse and 
attempted forgeries require additional outlay for material 
and time. 

U.S. Pat. No. 4,864,506 discloses an approach wherein 
communication to the remote central data station be under- 
taken proceeding from the postage meter machine when the 
value of the credit in the decrementing register lies below a 
threshold and a predetermined time has been reached. 
The above -recited patent also discloses the establishment 

35 of a telephonic connection by the central data station to the 
postage meter machine after a defined chronological dura- 
tion with the postage meter machine replying to the central 
data station only at predetermined times for receiving reg- 
ister data and for checking whether the postage meter 

4Q machine is still connected to a specific telephone number. 
It is also disclosed in the aforementioned patent to inter- 
rogate the identity number of the postage meter machine and 
the values in the decrementing and incrementing register for 
authorization by the central data station before a reloading of 

45 credit into the postage meter machine. 

The aforementioned patent also discloses that the com- 
munication of the central data station with the postage meter 
machine need not remain limited to a mere transfer of credit 
into the postage meter machine. On the contrary, the com- 

50 munication of the central data station with the postage meter 
machine given a log-off of the postage meter machine is also 
utilized for transmitting the remaining credit of the postage 
meter machine into the central data station. The value and 
the decrementing postal register of the postage meter 

55 machine is then zero, this effectively shutting the postage 
meter machine off. 

A security housing for postage meter machines that 
includes internal sensors is disclosed in German OS 41 29 
302. The sensors are switches connected to a battery and are 

60 activated when the security housing is opened in order to 
erase a memory storing the remaining credit (decrementing 
postal register) by interrupting the energy supply. As is 
known, however, the condition (content) which a voltage- 
free memory module assumes upon restoration of the volt- 

65 age is not predictable. Thus, an unpaid, higher remaining 
credit may also arise. Additionally, it cannot be precluded 
that the remaining credit may be at least partially lost under 
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these circumstances. This, however, would be disadvanta- 
geous in case of an inspection since any "lost" credit that had 
been paid for by the user of the postage meter machine must 
then also be reloaded, but the amount of this remaining 
credit could then be falsified. Moreover, this document does 
not disclose means for preventing an unauthorized manipu- 
lator for restoring an unpaid remaining credit. 

In known postage meter machines, further security mea- 
sures such as break-off screws and the use of a encapsulated, 
shielded security housing are employed. Keys and a com- 
bination lock are also standard in order to make access to the 
postage meter machine more difScult. 

In addition to these known mechanical techniques, an 
unauthorized access to a use of the postage meter machine 
is to be prevented in the machine disclosed in U.S. Pat. No. 
4,812,994 by inhibiting the postage meter machine given the 
absence of a password and/or during a predetermined time 
interval. The password can be entered via a MODEM, by a 
chip card or can be manually entered into the postage meter 
machine via the keyboard. After a positive comparison 
against a password stored in the postage meter machine, the 
postage meter machine is enabled. A security module 
(EPROM) is integrated in the control module of the debiting 
unit. As a further security measure, an encoding module 
(separate microprocessor or program for FM-CPU based on 
DBS or RSA code) is provided, which produces a recogni- 
tion number in the postmark that comprises the postage 
value, the user number, a transaction number and the like. 

It is still possible, however, that the password could be 
discovered and could be placed into the possession of an 
unauthorized manipulator together with the postage meter 
machine. 

U.S. Pat. No. 4,812,965 discloses a remote inspection 
system for postage meter machines that is based on specific 
messages in the impression of postal matter that must be sent 
to the central station or transmitted via MODEM in response 
to a remote interrogation. Sensors within the postage meter 
machine are intended to detect any falsification action that 
has been undertaken so that a flag can be set in appertaining 
memories in the event that operations were performed on the 
postage meter machine for manipulative purposes. Such an 
operation could ensue in order to load an unpaid credit into 
the registers. 

Upon detection of a manipulation, the postage meter 
machine is inhibited during the remote inspection via 
MODEM by a signal transmitted from the central data 
station. It is still not fully preventable, however, that a 
dexterous unauthorized manipulation could in reset the flag 
and the registers into their original condition after the 
production of postage impressions that were not accoimted 
for. Such a manipularion could not be detected by the central 
data station via remote inspection if this canceled manipu- 
lation preceded the remote inspection. The reception of the 
post card from the central data station on which the franking 
to be undertaken for inspection purposes shotdd ensue also 
allows the manipulator adequate time, and puts a manipu- 
lator on notice, to reset the postage meter machine into the 
original condition. A higher level of security can thus not be 
achieved. 

The disadvantage of such a system is that one cannot 
prevent a knowledgeable manipulator who breaks into the 
postage meter machine from subsequently erasing the flags 
to eliminate the evidence of tampering. One can thus simi- 
larly not prevent the manipulation of the impression itself 
that is produced by a properly operated machine manipu- 
lated. In known machines, there is a possibility of producing 
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impressions having the postage value of zero. Such zero 
frankings are required for testing purposes and coxild also be 
subsequently falsified in that a postage value greater than 
zero is simulated. 
5 A security impression according to European Patent 
Application 576 113 provides symbols in a marking field in 
the postmark that contain a encrypted information. This 
allows the postal authority which collaborates with the 
central data station to recognize a manipulation at the 

10 postage meter machine at arbitrary points in time based on 
the respective security impression. Although an ongoing 
monitoring of such postal matter provided with such a 
security impression is technologically possible via appro- 
priate security markings in the mark format, this means 

15 additional outlay at the post oflBLce. Given a monitoring based 
on spot checks, however, a manipulation is usually is only 
recognized long after the fact. 

Moreover, an additional evaluation can ensue in the 
central data station of a user of a postage meter machine that 
has been continued to be operated by the user beyond the 
inspection date. No conclusions regarding manipulation 
undertaken for falsification purposes, however, are yet able 
to be derived from these evaluations. 

U.S. Pat. No. 4,251,874 discloses a mechanical printer 
unit which must be preset for printing and which has a 
detector means employed for monitoring the presetting. 
Fiu-ther, means for identifying errors in data and control 
signals are provided in the electronic accounting system. 
When this number of errors reaches a predeteraiined value, 
further operation of a postage meter machine is interrupted. 
The sudden outage of the postage meter machine, however, 
is disadvantageous for the user of the postage meter 
machine. In the case of a non-mechanical printer, such 

2^ internal errors can rarely be anticipated and the postage 
meter machine is shut off immediately anyway in the event 
of a serious fault. Moreover, the protection against a 
manipulation of the postage meter machine does not become 
significantly greater by shutting the postage meter machine 
after a predetermined number of errors. 

U.S. Pat. No. 4,785,417 discloses a postage meter 
machine having program sequence monitoring. The correct 
sequence of a larger program segment is monitored with a 
specific code allocated to each program part, this specific 

45 code being stored in a specific memory ceU in the RAM 
when the program segment is called in. A check is then 
carried out to determine whether the code stored in the 
aforementioned memory ccU is continuously present in the 
program part running at the moment. If the run of a program 

50 part were interrupted given a manipulation and if a different 
program part were to sequence, an error can be identified on 
the basis of such a monitoring query. The comparison, 
however, can only be implemented in the main sequence. 
Subsequences, for example security-related calculations that 

55 are used by a plurality of main sequences, cannot be checked 
for execution of the program part on the basis of such a 
monitoring because the program check ensues indepen- 
dently of the program sequence. If a manipulation occurs 
wherein allowed program parts or sub-sequences are addi- 
ng Uonally introduced into main sequences or are omitted 
therefrom, or wherein a branch is made to sub -sequences, 
then no error woidd be identified since the length of the 
program part is neither identified nor can an identification be 
made as to which program branch was run how often. 

65 Another type of expected manipulation is the reloading of 
the postage meter machine register with a credit value that 
has not been deducted. This necessitates a protected reload- 
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ing. According to U.S. Pat. No. 4,549,281, an additional a memory be regularly transmitted to a remote error analysis 

security measure can be employed which is the comparison computer for evaluation. Such a remote inspection allows an 

of an internal, fixed combination stored in a non-volatile early warning of the presence of an error and makes it 

register with an entered, external combination, whereby the possible to have recourse to further measures (service). This 
postage meter madiine is blocked with inhibit electronics 5 approach, however, does not yet offer an adequate criterion 

after a plurality of failed attempts, i.e. non-idenUty of the fo^ detecting a manipxilation. 

combinations. According to U.S. Pat. No. 4,835,697, the . . r» . o 00 lo oa^ u c d^* 

uu j- A 4 * 4U According to British Specification 22 33 937 and U.5>. Pat. 

combination can be changed m order to prevent unautho- _ ^a^t . * u- -a- h 

- J * u- No. 5,181,245, the postage meter machine periodically 

nzed access to the postage meter machme. .... . 1 * li 1 • 

Tie n . XT cr.nn^^r, i i *u ^ f commuuicates With thc data central. A blockmg means 

U.S. Pat. No. 5,077,660 also discloses a method for ^ n *t. * * ««u-„» u» Zf*^^ tu^ 

, ^ /• r . ^ . . allows the postage meter machine to be blocked after the 

changmg the configuraUon of the postage meter machine. ^ ^ predetenBined time or after a predetermined 

whereby the postage meter machine is switched from the „^^ber of operation cycles and supplies an alarm to the user, 

operatmg mode into a configuraUon mode on the basis of a ^^^^j^ ^ ^ encrypted codeword must be enteted from 

slutable input Via a keyboard, and a new meter type number . j i_- i_ • j * - * n * j 

. / J u- 1. J * *u J • J 1 1* c the outside, which IS compared to an internally generated, 

can be entered which corresponds to the desired plurality 01 * j j j t * : ^™^7«™,,„/ 

^ ^ , . . , , encrypted codeword. In order to prevent mcorrect account- 
features. The postage meter machine generates a codeword ■ i , C U • V J* *L J * * 1 *U 4 
. jxr ■ . c.u ing data from bemg supplied to the data central, the account- 

(password) for the commumcation with the computer of the • j * . ♦ j ■ * ^«™..,«t: 

.1 1., . J J . J r.i- ing data are also mcorporated into the encryption of the 

data central and the entry of the identification data and of the f ^. . j * j- j. * • *u * *u 1 

^ , , aforementioned code. A disadvantage is that the alarm 

new meter type number in the aforementioned computer, ■ , , „ uilzi„„„ „f tu« 

■'r , J, j j ensues simultaneously with the blocking ot the postage 

which likewise generates a corresponding codeword , . . * -u-t* c 

. - ^ .... J . . . . meter machine without givmg thc user a possibility of 

(password) for commumcation to and entry mto the postage . . u • • «• 

, V. u . J J ^- appropriately modifymg his behavior m time, 

meter machine wherem the two codes are compared. Given t^f t- / ^ & 

agreement between the two codewords, Uae postage meter ^ Pat. No. 5,243,654 discloses a postage meter 

machine is configured and switched into the operating mode. n^^^^ine wherein the ongoing temporal data supplied by a 
The data central always has exact records of the meter type „^ clock/date module are compared to stored data about stand- 

which has been set for the corresponding postage meter still times. When the standstill time is reached by the runmng 

machine. The security, however, is dependent only on the ti^e, the postage meter machme is deactivated, i.e. prmting 

level of difficulty ofbreaking the encryption encoding of the prevented. When a central data station which reads the 

transmitted codeword accounting data from the incrementing register is contacted, 

Over and above this, European Application 388 840 30 combination value is communicated to the 

discloses a comparable security technique for setting a '^f f «f ^'^ ^ ^f^'^^'^^ 

postage meter machme in order to purge it of data without °^ "^^^^ the postage meter machme is agam rendered 

having to transport the postage meter machine to the manu- oP^ational. The sum total of use which contams the aggre- 

facturer. Here, too, the security is solely dependent on the f^'^^P "^^'^ '° '^^ Uie central data staUon is 

encoding of the transmitted code. It is known to combine the 35 ^'^"^'^ 'J'^ combination value 

secured reloading of credit into a postage meter machine Iransmitted in encoded form. After decoding the combma- 

with an automatic signal transmission from thc postage ^^l"f' the aggregate amount of use separated and 

meter machine to the data central, as disclosed in U.S. Pat. compared to the aggregate amount of use stored in the 

No. 3,255,439, whenever a predetermined sum of money Postage meter machine. When the companson is positive, 

that was franked or a predetetmined piece number of pro- « f "^""^^ '^"^"T ^"'°'°»'if'^y 

cessed mailings or a predetermined time period was reached. 'canceled, "niis soluuon achieves the desirable result of 

Alternatively, a signal corresponding to the smn of money, necessitating that the postage meter machine penodicaUy 

piece number or time period can be communicated. The 'fP°'f ^ "^^ ^f'"'^ ^^^^ ^^^^^""^ '° communicate 

communication thereby ensues with binary signals via con- Instances of use are conceivable, however, wherem the 
vetters connected to one another via a trunk. The machine 45 volume of mail to be franked fluctuates (seasonal operation), 

receives reloading data corresponding to the credit balance In these cases, the postage meter machme would be inhibited 

that are secured in exactly the same way and is inhibited unnecessarily frequently m a disadvantageous way. 

when no credit is rcsupplied. SUMMARY OF THE INVENTION 

U.S. Pat. No. 4,811,234 discloses that transactions be 
implemented encrypted and to interrogate registers of the 50 I'ls an object of thepresentinvention to provide aposUge 

postage meter machine and to communicate the register data '^^^^ machine which overcomes the aforementioned disad- 

to the data central in order to display a chronological vantages of known machines and which achieves a sigmfl- 

reference to the diminution of the amount authorized for "nt increase in secunty vnthout the necessity of conducUng 

availabiUty, the amount being stored in the register. Hie unscheduled ("surpnse") on-site inspections, 
postage meter machine identifies itself at the data central by 55 " * further object of the present invention to provide a 

its encrypted register content when a pre-settable threshold method for operating such a machine wherein improved 

is reached. Itie data central modifies the requested franking security is achieved without the need for a special mechani- 

amount up to which franking is allowed to be carried out on cal encapsulation of the interior components of the machine, 

the basis of corresponding authorization signals. The and without the necessity of using a sensor for recognizing 
encryption is thus the sole protection against a manipulation 60 ^^en an imauthorized opening of the housing has occurred, 

of the register readings. The data central can thus not It is a further object of the present invention to provide 

identify the occurrence of a manipulation if a manipulator such a method which permits the occurrence of a 

always properly loads the same amount at the same chio- manipulation, which was undertaken with the intent of 

nological intervals, but franks a far higher amount in the falsification, to be recognized and which provides enhanced 
meantime with the manipulated postage meter machine. $5 security for the data stored in the components. 

European Application 516 403 discloses that the errors of It a further object of the present invention to provide a 

the postage meter machine logged in the past and stored in method for operating such a postage meter machine which 
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allows the postage meter machine to remain secure but to The invention has the advantage that program code and 
have a housing which permits relatively easy access to constant, security-associated data cannot be modified, can- 
individual electronic modules of the machine for a service not be skipped over and cannot be learned by inspection or 
technician. by electronic means. The program execution of program 

Another object of the present invention is to provide such s parts that are implemented in the internal OTP-ROM can 

a method which permits the machine to operate using a thus not be manipulated. As long as no program branch 

processor without an internal NV-RAM. occurs, there is reliable protection against fraudulent 

Lasay, it is an object of the present invention to provide manipulation. Inventively, the program parts that arc imple- 

a method for operating a postage meter machine wherein the "^^^t^d in the internal OTP-ROM also enable protection of 
security of the ciphers in the postage meter machine, that are 1° externally stored program parts that, for example, arc 

required for communicating with a central data station, to be Present stored in an EPROM. A number of ciphers and an 

improved during a data communication event. encryption algorithm are also inventively stored in the 

Tte above objects are achieved in accordance with the OTP-ROM, these being employed in the program execution 

. , , c .1. . • • .u J f • of secunty-associated transactions and m the external stor- 

pnnciples of the present invention m a method for improv- . ^ . • . j j . 
f fj ^ J • 1 • 15 mg of security-associated data, 

mg the security of data and the program code in an elcctromc * 

postage meter machine, the postage meter machine being of The EPROM accepts the majority part of the program 
the type having a microprocessor in a control unit for ^^^^e and makes an external program code available to the 
implementing steps for a start and initialization routine and microprocessor via the microprocessor bus. Since, however, 
a subsequent system routine, with the possibiHty of entering program variables are additionally stored in the internal 
into a communication code with a remote data central '^^ OTP-RAM, a security-associated encapsulation of the pro- 
station, as well as for implementing further input steps in S>^^ execuUon is achieved. Program executions having 
order to enter into a franking mode, from which a branch can different security levels can thus be designationally realized 
be made back to the system routine after the implementation with an OTP processor A faulty or mampulated postage 
of an accounting and printing routine. In accordance with the meter machine remains completely in the OTP-ROM with 
principles of the present invention, the method includes the its program execution and cannot be forced into different 
steps of conducting a security check within the start and operating modes. 

initialization routine, the security check running before a The inventive solution also proceeds on the basis that the 
secure printing data call routine and the subsequent system financial information stored in the postage meter machine 
routine, for determining the validity of a program code must be protected against unauthorized access. The falsifi- 
and/or of data in a predetermined memory location of an cation of data stored in the postage meter machine is 
associated MAC (message authentification code) which is rendered difficult to such an extent that the outlay and effort 
stored in the same memory. The check for a valid program are no longer worth it for a manipulator 
code and/or for the validity of the data is conducted using a Commercially obtainable OTP processors (one time 
selected checksum method with an OTP (one time programmable) can contain all security-associated program 
programmable) processor which internally receives the cor- parts in the inside of the processor housing and can also 
responding program portions. In accordance with the contain the code for forming the message authentification 
method, the postage meter machine is then transferred into code (MAC). The latter is an encrypted checksum that is 
the aforementioned system routine given verification of the attached to an information packet. For example, data encryp- 
validity of the data, or the postage meter machine is trans- tion standard (DES) is suitable as a crypto-algorithm. MAC 
ferred into a first mode if the data are invalid, or if a information can thus be appended to the security-associated 
predetermined manipulation criterion is met. Under such register data and the difficulty of manipulation at the postal 
circumstances, appropriate steps are then taken to prevent registers can be maximally increased, 
franking, or to block the postage meter machine and/or steps These security-associated program parts also have pro- 
may be taken for preventing a further program execution or gj-ajn parts for flow monitoring that monitor the various 
a program branch from the OTP processor within the afore- executed program parts. Malfunctions of the microprocessor 
mentioned system routine, or manipulations undertaken with the intent of falsification 

The invention is based on a processor that can be pro- can thus be discovered. Specific calculating operations allow 

grammed only once. a check to determine which program parts are employed and 

Increased security can be achieved, for example, with a 50 how often, 
mask-programmed microprocessor that has externally Another security measure, which can be executed in 
accessible ports and an internal bus structure, an internal addition to the error handling (kill mode) of the start- 
ROM, an internal RAM for security-associated executions. security check is to monitor the program running time of 
Security- associated data and routines are burned into the selected, security-associated programs or program parts in a 
internal ROM during manufacture. 55 time supervision mode (kill mode 1). Given a deviation of 

In a preferred version the postage meter machine has a the running time of programs or program parts from a 

microprocessor which contains an internal ROM that does predetermined running time as occur given manipulation or 

not allow a read-out of the program codes contained therein. monitoring of the program execution with an emulator, the 

This can be a commercially obtainable OTP (one time machine is inhibited. One such program part relates to the 

programmable) processor that is placed into such a condition communication mode. A secret cipher for the encrypt com- 

after the programming event by setting/burning a read-out munication is stored in encrypted form outside the OTP. The 

barrier. OTP can recover the actual cipher therefrom by decoding. 

The postage meter machine can also be equipped with an this being required for transactions between the postage 

OTP type that allows a read-out of security-associated data meter machine and the data central, 
and programs in encrypted form (encryption table). This has 65 The postage meter machine can switch from the system 

the advantage that it is possible to check whether the data routine into the second mode with a decision criterion in 

were properly stored. order to provide the user of the postage meter machine with 
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an alarm and with a request to comniunicate with the data eliminated, for example by means of an inspection by a 

central station. At the same time, the behavior of the postage service contractor or by resetting during a communication 

machine user is monitored by the data central station on the with the data central station, the reaction time span can be 

basis of data previously communicated during a communi- lengthened further in order to make potential manipulations 

cation event. S difiBcult. 

In the inventive postage meter machiae a specific sleeping securing data and program code of an electronic 

mode counter is set to a specific number of items in each Postage meter machme that is capable of commumcation 

communication event with the data central and is initiated to "^^^ ^ ^^^^ ^^^^^i^ ^""f ^^^^^ ^ 

continue counting at every franking, i.e. during the course of OTP Processor m a control unit of the postage meter 

, , ... A ■ *-i 1- ■ in machme m accordance With the mventive method an exter- 

a debiting and prmting routine, until a specific number is lo • j »>rAr^ i • * j • * 

n t r 11.,,.. • nally stored, predetermmed MAC value is transmitted mto 

reached, Hie specific number of items is calculated both in -^^^^^^ OPT-RAM and a checksum is formed in the OTP 

the postage meter machine and m the data central station and p^cessor regarding the content of that external memory that 

is communicated to the postage meter machme via a com- ^ allocated to the MAC. Acomparison of the result with the 

munication connection. predetermined value of the MAC volatily stored in the 

In order to improve the securing of postage meter internal OTP-RAM is made before and/or after the expira- 

machines with only one microprocessor and a suitable tionof the franking mode or operating mode, and thus before 

program of a postage meter machine, a user- associated the initialization as well (i.e., when the postage meter 

information word or packet about the use of credit that is machine is operated) or during times wherein printing is not 

simultaneously identically present in the data central station carried out (i.e., when the postage meter machine is being 

and in the machine forms a first calculating base in order to operated in a stand-by mode). In case of error, a reporting 

check data relating to the credit use and credit reloading data ^^d subsequent blocking of the postage meter machine then 

stored in the data central station for their plausibiUty. ensue. 

Another inventive calculating base uses further data, par- DESCRIPTION OF THE DRAWINGS 

ticularly in conjunction with the number of items since the ^ . 

last communication, and aJlows an unscheduled inspection « \ '^^8™'° ^ 

of a postage meter machine which is considered suspicious "'^^^"^ mcreased secunty operating m accordance 

ia the data ceotral station to be undertaken on site. """^ mventive method. 

TT. . , L- .u . ■ 1 1 J FIG- 2 is a bloclc circuit diagram of a postage meter 

1 Qe postage meter machine that receives a regular reload- ..... . .° 

ing of credit and is thereby inspected can thereby be clas- ""^f .f ^^''"'f. se^wity operaUng m accordance 

^.f J ♦ -ru * 4. u- \u * 30 With the mventive method with an OTP m the control umt 

sified as non-suspect. The postage meter machme that con- - ^. , , . . 

tinues to be operated without inspection beyond a of the postage meter machine. 

predetermined inspection date, however, need not necessar- ^ ^ "^.^^^^ flowchart for a postage meter machine 

ily be manipulated. For example, the volume of mail to be operating according to the inventive method, 

processed by the postage meter machine may have dimin- flowchart for the start and initialization routine 

ished to an above-average extent. When adequate remaining ^f FIG. 3. 

credit is available in the postage meter machine, of course, PIG. 5 is a flowchart for the franking mode of FIG. 3. 

franking can continued to be carried out. Only an unsched- FIG. 6 Dlustrates the formation of a MAC checksum by 

uled on site inspection can unambiguously determine encryption for an external program-EPROM. 

whether a manipulation has occurred in this case. FIG. 7 is a flowchart for checking an external program- 

For inspecting suspicious postage meter machines, the EPROM in accordance with the inventive method, 

data central station informs the postal authority or the FIG. 8 illustrates the formation of a MAC checksum by 

institution authorized to carry out the inspection, of the serial encryption for an external imprint-EPROM in accordance 

number of the suspect postage meter machine. The volume with the inventive method. 

of mailings (letters) of specific senders can be monitored FIG. 9 is a flowchart for checking an external imprint- 

with this information, such as by counting the number of EPROM in accordance with the inventive method, 

mailings over a time interval of, for example, ninety days. FIG. 10 is a flowchart for securing selected register data 

An operation may possibly have to be performed on the in accordance with the inventive method, 

postage meter machine given an on-site inspection or repair. FIG. 11 is a flowchart for checking selected register data 
For preparing for the intervention, the registers of the 50 in accordance with the inventive method, 

postage meter machine are interrogated or printed out in piG. 12 is flowchart for input encryption of the ciphers 

order to identify the type of required intervention. After an that are utilized for the protected transmission of data 

authorized operation performed on the postage meter between postage meter machine and data central station in 

machine has ensued, the original operating condition is accordance with the inventive method, 
restored with the specific data being re-entered in a suitable 55 pj^ 13 ^ flowchart for the decoding of the ciphers for 

the remote value input in accordance with the inventive 

When, however, a manipulator undertakes an unautho- method, 

rized intervention, the postage meter machine is effectively pjc. 14 is a flow chart for securing security-associated 

placed out of operation after the power-up by switching the data in a freely accessible memory in an electronic postage 
postage meter machine into the first mode (error handling). 60 meter machine, in accordance with the inventive method. 

Another security measure that can be implemented in the piG. 15 is a flow chart showing details of one of the steps 

second mode in addition lo or instead of a sleeping mode flow chart of FIG. 14. 
version is the error overflow mode. This lengthens the 

reaction time span of the postage meter machine when a DESCRIPTION OF THE PREFERRED 

predetermined number of errors is exceeded and reports this 65 EMBODIMENTS 

condition to the operator of the postage meter machine via FIG. 1 shows a block circuit diagram of the inventive 

the display. If the cause of the excess number of errors is not postage meter machine having a printer module 1 for a fuUy 
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electronically prodTiced franking format, comprising at least FIG. 3 shows an overall flowchart of a postage meter 

one input unit 2 having a number of actuation elements, a machine having inventively enhanced security, whereas 

display unit 3, a modem 23 that produces communication FIG, 4 shows an inventive detail therefrom in greater detail, 

with a data central station, further input unit 21 or a scale 22 namely a flowchart for the start and initialization routine, 
coupled to a control unit 6 via an input/output control s ^ ^^^^^ pjQs 3 and 4 a power-up of the postage 

module 4, and non-volatile memories 5a, 5b and 9, 10 and ^^^^ machine ensues in the step start 100 and a function 

11 for data or programs that mchide the vanable or, the ^^^^^ subsequent initialization is undertaken subse- 

constant parts of the franking format ^ ^^^^^ ^^^^^^ ^ ^^^^^ ^ ^^^^^^ 

The character naemory ^ supplies the necessary prmtmg ^^^^^^ ^00 is only undertaken thereafter, 

data for the vanable parts of the frankmg format to a volatile ^ / . ^ j ui ■ * i r^-m nr^i^ 
main memory 7, Hie control unit 6 includes a microproces- '° Aprogram code m the non-readable, mtemal OTP-ROM 

sor UP that is in communicaUon with the input/output ^^^^ ^ ^^^^^ advantageous start security check 

control module 4, the character memory 9, the volatHe main routines but at least those as named ^ FIG. 4 and set forth 

memory 7 and the non-volatile main memories 5fl, Sb, ^ detail in conjunction with FIGS. 7, 9 and 11. 

(which form a cost center memory), and with a program These routines relate to the method for securing data and 

memory 11. The control unit 6 also communicates with the program code of an electronic postage meter machine and 

motor 12 of a conveyor or feeder, potentially with strip serve the purpose of improving the security of this electronic 

triggering, with an encoder (coding disk) 13, as well as with postage meter machine within the framework of a start 

a clock/date module 8. The individual memories can be security check in conjunction with the ioitiahzation thereof, 

reahzed in a number of physically separated modules or After the start, a start routine ensues in step 101 and an 

combined in a few modules (not shown). The memory initialization of the postage meter machine ensues. Such 

module that includes the non-volatile main memory Sb can, routines initialize the hardware and display in a standard 

for example, be an EEPROM that is protected against way and start a timer and, or, respectively, interrupt. The step 

removal by at least one additional measure, for example 101 inventively includes a start security check 1020. 

gluing on the printed circuit board, sealing or being cast with A start security check routine is undertaken, which checks 

epoxy resin. the most important, externally maintained postage meter 

The electronic postage meter machine shown in FIG. 1 machine data and external program code completely encap- 
has inventively enhanced security. The invention is based on sulated in the internal ROM and RAM area of the OTP with 
a postage meter machine having a microprocessor that its program code. This security check routine can thereby 
contains an internal OTP -ROM that does not allow the 3Q recognize manipulations — ^without an external possibiUty of 
program code contained therein to be read out. Moreover, influencing with manipulative intent thereby existing — that 
security-associated data are stored in the internal OTP- had been implemented during the deactivated condition of 
ROM. In order to prevent the read-out by means of an the postage meter machine and can then effectively inhibit 
external operation, corresponding security bits can be set in further operation of the postage meter machine if the check 
the microprocessor during the manufacture of the postage 35 routines are not run error-free. In this case, the program 
meter machine. This can be a commercially obtainable OTP execution remains in an endless program loop in the OTP- 
processor that is placed into such a condition after the ROM (error handing 1030). The external storage media are 
programming event by setting/burning a read-out barrier; or used by the MP (read EPROM, write RAM) only after the 
this can be a microprocessor having mask-programmable checks have been nm error-free and the system routine 200 
ROM that no longer allows a read-out of the program code is reached. 

after the manufacturing process or only allows a read-out of piG. 4 shows the schematic program flowchart of all 

the program code and the data in encrypted form. functions that are implemented during the start security 

FIG. 2 shows a detail of the block circuit diagram of the check of the postage meter machine in the OTP -ROM. 

electronic postage meter machine for a version having OTP Inventively, the start security check of the postage meter 
in the control unit 6. Given this fundamental arrangement in 45 machine includes a number of routines in addition to the 

FIG. 2, sensors and actuators such as, for example, the routine 1026 for the securing of the external program 

encoder 13 and motor 12 shown in FIG. 1 can optionaUy be memory. 

directly connected to the OTP or can be connected thereto por example, the routine 1021 not set forth in greater 

via I/O ports. detail here denotes a check of the internal OTP-RAM with 

A preferred version of a microprocessor is an 8051 50 respect to its operating capability. The program version 

processor with 16 kbyte on-chip EPROM (Philips 87 C51 numbers are compared in the routines 1022 and 1023, i.e. a 

FB). Such an OTP type (one time programmable) cannot be determination is made whether the burned OTP together 

erased by ultraviolet light because it does not have a window with the EPROM forms a set of complete program code or 

suitable for ultraviolet light passage. Progranuning thereof whether a different EPROM belongs to the OTP. In routine 
can therefore be done only once. The internal OTP-RAM S5 1024, a check is made on the basis of the data predetermined 

has a memory area of 256 bytes. by the imprint-EPROM to see whether a vahd imprint- 

The invention also operates on the basis that the entire EPROM or, respectively, an imprint-EPROM belonging to 

program code required for the operation of a postage meter the aforementioned set is plugged in the socket. It should be 

machine does not fit into the microprocessor-intemal ROM, noted that an advantage is that the imprint-EPROM can be 
i.e. another EPROM is needed that accepts the majority of 60 plugged into the socket or replaced not only by the service 

the program code and that makes the program code available technician but can also be unproblematically plugged or, 

to the microprocessor via the microprocessor bus. An respectively, replaced by any other authorized person. Spe- 

arrangement is employed for this purpose that divides the cific driver circuits (buffers) that are connected (FIG. 2) 

program memory into memory segments, referred to as between the bus and the EPROM socket prevent external 
memory banks, that allow the program memory area to be 65 read-out of internal postage meter machine data. Data can be 

arbitrarily enlarged via the address area of the MP by using entered into the postage meter machine at any time, 

MP port lines. however, via the socket. 
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The routine 1026 relates to the securing of the external OTP, and wherein the formation of a checksum about the 

program memory and the routine 1025 relates to the secur- content of the external program memory and a comparison 

ing of the cxteroally accessible EPROMs and the data stored ensue in the OTP. The MAC, however, was stored in a 

therein against manipulations on the basis of a security specific OTP with internal NVRAM. Moreover, measures 
check. A first monitoring of security-associated or postal s were not disclosed for preventing a manipulator from 

register data in the external NVRAM and EEPROM is assuming control of the microprocessor with his or her own 

undertaken in the routines 1027 and 1028. The routine 1029 program code in the external EPROM as soon as the 

identifies invalid data copies or data copies capable of being microprocessor leaves the internal ROM region by using a 

repaired and eliminates the error as warranted. j^^^^ command, and thus skipping over security 

As set forth in greater detail in European Application 615 ^^^^y. routines that should actuaUy be subsequently imple- 

211, at least one register check of the data structure of the mented in the OTP-ROM. Further, measures were not dis- 

postal register is implemented in step 1029 in order to log closed to the effect that, as soon as the microprocessor writes 

the errors. This is a method for memory correction of external RAM serving as data memory for its program 

security-associated data in a postage meter machine, ^ode to be implemented, this can be modified by a 

wherein redundantly stored data are compared to oae manipulator, which can modify or disturb the program 

another in order to again load a memory area having faulty execution 

data with error-free data. This, however, is no longer pos- pj,. , ^^^^^ ^ execution for checking an externa 

sible given a sixth error type because all redundantly stored i^nn/^nx c • w u i 

^ , -^^ . , z' program-EPROM for mampulations with MAC checksum 

data now have different errors that can no longer be auto- „ Z t^,,« « ^tr.^^ „^t„, 

. „ . , ^ 1 • . . • • u methods. During the runnmg time of the postage meter 

matically corrected. Only a service technician could recon- u- *u • * ^ tu^xAAr^r^ 

^ , . /. J u . machme, the microprocessor system can form the MAC (m 

struct the data m a predetermmed way, which must occur , i\ % ji * /t^ \ • *u-. ^„ * 

_ - J • u f *L . * step 1026.2) attune T2 and later (T24^ using the same secret 

after every authorized opening before the postage meter f . , ^m^i^k j- * 7u * u- 

, jui * X* *!. code (step 1026.3) according to the same cryptographic 

machine is pkced back into operauon. Measures are there- .^ecksum method step 1026.2) regarding the memory area 

fore also undertaken m step 1030 m order to inhibit the ^^^jfi.l) to be checked, and compares this MAC (T.^J to 

postage meter machme given register data structure errors. ,5 ^^^^^ ^^^^ ^p^^^ j„26.5) (see 

The routine 1026 to be set forth m greater detail below for ^026.6). As a result of this comparison, the data 

securing the external program memory is based on the j^^^ ^^^^^ „f ,1,^ 

storing of a MAC m the memory module to be respectively ^ ^^^^^ ^^^^^^ manipulations of the memory 

secured. In addition to the required preservation of the data ^.^^j^^^ ^e recognized (step 1026.7). Given a negative 
reliabiUty, this especiaUy has the advantage of permittmg 30 comparison, appropriate measures can then be undertaken 

replacement of a malfiinctionmg program-EPROM without jj^^j ^^^^^^ operation of the postage meter machine 

having to simultaneously replace the OTP as well. ^^^^p ^^jj,) „^ ^^ ^^^^^ ^ manipulation more difficult or to 

For securing the external program memory, an application indicate such a manipulation with suitable measures, 

of the MAC method ensues in step 1026 for checking the continuous MAC formation ensues, following the 

mtegnty of the program code of external, bus-coupled 35.^ . u ^ - 

i-T^rT/^v* 1. r .1 c c J J • start security check, in every one of the operatmg program 

EPROMs before the bus access of the processor and dunng , : i'ua^^- j 

. . . ■ A J . 1 loop, so that a relevant MAC is respectively lormed over a 

the ongoing program execution. Advantageously, secure , u r n *u *i. 

. . . n . . 1- 1 -.1 .J larger number of program memory cells with the crypto- 

cryptographic functions can be realized with a secret code l-ui Z a ^ u _ ^ * *u ^ a 

■'f . J i_i • • . 1 graphic checksum method and can be compared to the stored 

that IS hidden unreadably m the internal program memory, ^(^c formed at time Tl 
the security of these cryptographic fimctions being based on 4Q 

the use of this secret code. When data relating to a checksum What is thus achieved is that the time up to a MAC 

(for example, CRC) about the memory content (block 70) of checksum comparison about the entire memory contents 

the program memory are encrypted with a cryptographic (128,000 bytes) is relaUvely short. The interval between the 

function (block 60) such as, for example, the data encryption checksum comparisons can be linked to a chronological 
standard (DES), using this secret code (block 61), a cryp- 45 monitonng, so that a stoppage of the program is recognized 

tographic checksum is obtained, what is referred to as the ^^^^ ^^^^^ ^ negaUve MAC comparison, 

message authentication code (MAC) that forms a checksum FIG. 8 shows the formation of a MAC checksum with the 

(for example, CRC) about the memory content (block 70). DES method by means of EPROMs in the socket of the open 

Inventively, this MAC is formed once, at a time Tj at which postal flap. This is another advantageous apphcation of the 
manipulations are precluded, and is stored in a non-volatile 50 MAC method for checking the integrity of data and of the 

memory area (block 71) of the external program memory of program code of EPROMs that are inserted into the exter- 

the microprocessor system. This point in time T^ is achieved nally accessible socket given a postage meter machine with 

only at the manufacturer of the postage meter machine, m opened postal flap. 

whereby this MAC (Tl) is formed, for example during the European Apphcation 660 269 also proceeds on the basis 
program code data production in the personal computer, 55 of a postage meter machine that has a doseable and scalable 

with the cryptographic checksum method (for example, DES flap that allows access to the hardware (EPROM socket) 

algorithm) and is embedded in a defined memory area in the lying therebehind only to a limited group of persons who are 

EPROM source data. The aforementioned data are burned known to be reliable. It is assumed that these persons will 

into the EPROM during programming. FIG. 6 shows such a not undertake any manipulation of the postage meter 
formation of a MAC checksum with the DES method via 60 machine. A security-maintaining solution has now been 

external program EPROMs, whereby the MAC is embedded found, in accordance with the invention, that can be 

in the memory area to be filled. employed in a postage meter machine that has a partially 

A start routine and initialization of an electronic postage opened postal flap. This has the advantage that the user has 

meter machine was proposed in European Application 660 access to the imprint -EPROM socket and can replace the 
269, FIG. 2a (step 101), but without setting forth these 65 imprint-EPROM socket on his or her own. As may be seen 

details. Further, a routine for the initialization was proposed, from FIG. 2, this socket is connected to the microprocessor 

wherein a security-relevant program code is deposited in the bus, i.e. a manipulation could ensue by means of a manipu- 
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lator using a manipulated program-EPROM that, like a Suspicious mode 

reset-EPROM, assumes the control of the microprocessor Printing the R4 value in the postage meter stamp for 

system, and thus intentionally modifies sums of money, visual postal monitoring 

entries or security entries in the postage meter machine, or ci * h 

by using a manipulated imprint-EPROM that contains modi- 5 eepmg mo e. 

fied printing data of the value stamp (locaUon of the sender, A manipulation of R4 would place these recited security 

postal code of the sender) and which results in a manipu- checks in question and R4 is therefore involved in the 

lation of the value stamp imprint. following MAC securing of registers, 

FIG. 8 shows the securing of a further external EPROM. 2. Instances which would require the use of NVRAMs 

Again, the aforementioQed principle of the MAC securing from other postage meter machine, 

regarding the memory areas can be applied, since reliable ^^^^^^^ ^^^^^^^ ^^^^ ^ ^^^^^ 

cryptographic funcho^ whose rehabdity is based on the use ^^^^^^ ^^^^ ^ ^^^^^^^ ^ ^^^^^ ^^^^^^ 

of a secret code can be reahzed with a secret code that is • . j T . 1 j j 

unreadably hidden in the internal program memory (OTP- f"'', f cunty-associated data (for example, code word Y, 

ROM). When a checksum of these dal areas (block 40) is ^^8^) "^"^ "^"^ ^ ^"^'^^^ ^^L^'r "^^n^Tu 

encrypted with a cryptographic function (block 60), for postage meter machine, m a hfVRAM (see FIG. 1) that is not 

example, DES using this secret code (block 40), a crypto- soldered on the control unit but is plugged mlo a commer- 

graphic checksum relating to the memory contents arises. <^^^^y obtamable socket, so that this NVRAM can be pulled 

This MAC must be formed once at time Tj at which in case of service and read out with a specific service 

manipulations are precluded and is stored (block 41) in the computer in order, for example, to read out register data. 

EPROM that is inserted into the imprint socket (imprint 20 A manipulator could open the postage meter machine and 

EEPROM, reset-EPROM). This MAC (Tj) is formed, for produce copies of this NVRAM or that of a different postage 

example, during the program code data production of the meter machine that contains a consistent data set (money 

reset-EPROM in a personal computer and in the imprint data g^^g^ register readings, MACs, security data, flags). The 

production with the cryptographic checksum method (for manipulator could then intentionally implement manipula- 

example, DES algonthm) and is embedded m a defined 25 tions in the data set, for example, reducing the biUed 

""^^^"^/'f ^ ^i^'^P.'^ .... ftanking value. Given an inspection or at the next remote 

FIG. 9 shows the checking of an EPROM in the imprmt ^^^^ ^^^^ j^is manipulation would be noticed, for 

socket with MAC checksum methods for manipulation. ^ ^j^^ ^^^^^ ^^^^ suspicious mode. 

Dunng the nmning tmae of the postage meter machme, the ^ 

microprocessor system can form the MAC about the 30 When the serial number, which is an unambiguous iden- 

memory area (step 1025.1) to be checked according to the tification of an mdividual postage meter machine, and is thus 

same cryptographic checksum method (step 1025.2) at time also an unambiguous identification of the data set of the 

T2 of the start security check using (step 1025.3) the same postage meter machine, is involved in the MAC securing of 

secret code and compares this MAC (T^) to the MAC (T^) register data, then a data set from a different postage meter 

taken (step 1025.5) from the EPROM (step 1025.6). As a ^ machine cannot be used in the NVRAM because the serial 

result of this comparison (step 1025.6), the data integrity of number is also burned into other non-volatile memories, for 

the value stamp data can be checked and manipulations of example an EEPROM, that cannot be removed from the 

the program code can be recognized (step 1025.7). Given a postage meter machine. 

negative comparison, appropriate measures can then be The manipulation would be recognized given a compari- 

undertaken that prevent further operation of the postage son of the various, stored serial numbers and would block 

meter machine (error handling 1030). the postage meter machine. 

FEG. 11 relates to the checking of selected postal data [n order to achieve this increased security, the following 

values in an electronic postage meter machine that are registers are secured with a MAC and are thus secured 

protected with a MAC. Such a check is implemented, for against manipulations: 

example, in step 1020 during the start and initiahzation 45 Remaining the sum register Rl 

routine, and the communication mode 300 and in the frank- Prescribe the sum register R3 

mg mode 400. it^m number re ister R4 

The start security check in the start and initialization n/i IT^^^^ 

routine is thus implemented with a selected checksum Machine number Nr. 

method within a OTP (one time programmable) processor 50 ^h^ principle of this MAC generation is shown in FIG. 

that keeps the corresponding program parts internally stored 1®- 

and also stores the code for forming a MAC (message After every modification of the registers, for example, 

authentification code), for which reason the manipulator after each franking, the MAC is recalculated by encrypting 

cannot reduplicate the type of checksum method. Further the registers with the cryptographic function (block 60), 

security-associated cryptodata and sequences are stored 55 such as data encryption standard (DES), (block 63) using the 

exclusivity in the interior of the OTP processor in order to secret code K„^. The result of the encryption, the MAC, is 

place a MAC securing over the postal registers. stored in the data area SO^i reserved for it in the NVRAM. 

The securing of the register values Rl, R2, R3, which are Like the other postal registers, the register-MAC is mul- 

stored in a non- volatile NVRAM (see FIG. 1), with a MAC tiply stored in the NVRAM and is stored for specific events 

is already implemented in European Application 660 269. 60 in the EEPROM since this allows only a limited number of 

The following embodiment expands this register securing in memory cycles. 

order to intentionally achieve an even higher security of the FIG. 11 shows the fundamental execution of a check with 

postage meter machine. Further instances to be additionally the postage meter machine switched on. During the running 

secured are: time of the postage meter machine, the microprocessor 

1. Item counter register R4 with which the following 65 system can form the MAC (step 1027.4) about the memory 

security-associated checks are implemented m the postage area SOa to be checked (step 1027.1) according to the same 

meter machine: cryptographic checksum method (step 1027.2) at the times 
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of Start security check 1020, before every franking (fraokiag tion mode 300 or in further steps such as, for example, in 

mode 400) and before every remote value prescription step 401 of the franking mode 400. 

(communication mode 300), using the same secret code step 209, the data from the aforementioned memory 

(block 63, (step 1027.3)) and compares this generated MAC areas are compiled according to a predetermined allocation 

(step 1027.4) to the MAC (Tl) taken (step 1027.5) in step 5 to form a pixel print image, before printing. Tlie variable 

1027.6. information in the window provided for that purpose can be 

Given a negative comparison (step 1027.7), appropriate subsequently supplemented and modified. In order to save 

measures (step 1030) can then be taken that prevent further time, only the parts of a graphic presentation that are in fact 

operation of the postage meter machine. modified are newly stored in the non-volatile main memory 

FIG. 5 shows the flowchart for a franking mode with ^° given a modification. A first memory area A (among other 

inventively integrated check steps that are implemented things, for the data of the constant parts of the franking 

before printing. These likewise protect the security of format) is present in the program memory 11 and a further 

selected postal data values set forth in greater detail in FIGS. memory area Aai (for the advertising imprint frame) is 

10 and 11 in an electronic postage meter machine with a present in the imprint-EPROM. The sub-memory areas A^-, 

15 are provided for i=(l-m) frame or fixed data, whereby 

The explanation of the steps after the franking mode- ^ allocated index i identifies the respective frame that is 

shown in FIG. S^nsues based on the block circuit dia- preferably allocated to a specific cost center. The corre- 

grams of FIGS. 1 and 2 and the flowcharts of FIGS. 3 and ^P^^^^^S allocation of the respective cost center to the frame 

I data is automatically mterrogated after power-up. In a modi- 

„ ^0 flcation proposed in European Application 658 861, the cost 

Hie invention proceeds on the basis that, after power-up, ^^^^^^ automatically allocated by entering an imprint 

the postal value m the value stamp is automatically pre- ^^^^^ ^^^^^ ^^^^ selection of a user-associated imprint and 

scribed corresponding to the last input before the power-up ^^^^^^ ^^^^^ ^^^^ ^ ,^ ^^^^^^ ^^^^-^^ 

of the postage meter machme and the date m the date stamp ^^^^ ^^^^>^^ ^^^^ ^^^^^ ^^^^ be entered anew into the 

is automatically prescnbed according to the current date, and 25 ^ ^^^^ ^ ^^^^ ^^^^-^^ ^^^^ power-up. 

that the variable data for the impnnt are electro nicafly , i. ■ 1 ^ . . , , , 

embedded into the fixed data for the frame and for all A^l alphanumencal characte^ or symbols are deposited 

appertaining data that have remained unmodified. These Pi^el-by-pixel as binary data in the character memory 9. The 

variable data of the window contents are referred to in brief ^.^V""' ^^P*^'^^^^^^^^ characters or symbols are stored m 

below as window data and all fixed data for the value stamp, 30 ^^'^^ ^^^^^^^^^^^ numbers in the non-volaUle main 

the date stamp and the advertising imprint stamp are referred ^' ^ f"^^^' 

to as frame data. The frame data can be obtained from a first P^^^^^^ ^ ^°^y ^he memory area C, the com- 

memory area of a read-only memory (ROM) that simulta- P^^^^^, ^^[^ ^^"^ P^^^^™ ^^^^^^ converted 

neously serves as the program memory 11. Hie window data l^'""^ charactermemory 9 mto a prmt miage compnsing 

are taken from a second memory area and are stored in 35 binary Pixel data. The prmt image is stored m decompre^^^ 

memory areas B, of the non-volatile main memory 5 accord- ^^^^ ^ ^^^^^^^ mam memory 7. For explaimng the 

ing to the input. A step 1040^hown in FIG. 4^is provided invention mam memones 7a lb and pixel memory 7c are 

for such an imprint or franking format processing. This step employed below, even though, physically, a smgle memory 

includes an automatic routine for caUing picture element i^ preferably used. Based on secunty consideraUons, the 

data files, the aUocation and embedding of pixel image data 40 ''''^'^'\'^^^"f.T/ ! T^'™ I' """^T"^^ 

of the fixed and semi-variable as weU as variable print image OTP-RAM, and thus cannot be manipulated, 

data. The appertaining program is stored in the program- The memory areas in the non-volatile main memory 5 can 

EPROM or in the internal OTP-ROM. Since no program contain a number of sub-memory areas in which the respec- 

branch to program parts stored in the external program- five data are stored in data sets. The sub-memory areas B^. are 

EPROM ensues up to step 1040, no manipulation of the 45 provided for j=(l-n) window data, whereby various alloca- 

production of the print image can ensue. lions between the sub-memory areas of the various sub-areas 

The data, of course, can be taken from the aforementioned ^ predetermined manner, 

memories at any time during the running time of the postage Control code and run-length-coded frame or window data 

meter machine for the purpose of creating a new composi- ^^e altemating contained in succession in every data set of 

tion to form an overall fonnat of the franking format. It is 50 a sub-memory area A^-, Aai, By, Before printing, the respec- 

thus provided in a preferred modification that the hexadeci- ^ive selected fixed data are transferred in step 209 into a first 

mal window data are transmitted in run-length-coded form register 701, 711, 721, . . . , of the volatile main memory 7a, 

into the respectively separate memory areas B^ through whereby control codes are decoded during the transfer and 

of the non-volatile main memory 5a and are stored therein. are stored in a separate memory area of the main memory 7b. 

Moreover, the time in the clock/date module 8 continues to 55 Likewise, the respective, selected window data for the postal 

run constantly even when the postage meter machine is stamp and the value stamp are loaded into a second register 

mrned off. When, thus, the step 401 in the franking mode 702, 712, 722, Preferably, the registers are formed by 

400 is reached, data akeady stored arc accessed after the sub-memory areas in the memory area of the main memory 

power-up of the postage meter machine, possibly without ^a. In the preferred version, these aforementioned registers 

manual or renewed extemal data input. This setting relates, 60 a component of the microprocessor control unit 6. By 

in particular, to the most recent setting of the postage meter decompression, the run-length-coded, hexadecimal data are 

machine with respect to the postage amount that is displayed converted into corresponding, binary pixel data, 

in step 209 before the editing of the printing data ensues. The The invention also includes an implementation of authen- 

current, variable pixel image data (date and postage value) ticity checks in the result of the print data input in step 1040 

are thereby embedded into the fixed frame pixel image data. 65 for frame and/or window data during the start and initial- 

An interrogation of the input means for potential, further ization routine 101 and in step 209 for security-associated 

inputs subsequently ensues in step 301 of the commimica- window data which were modified in the printing data input. 
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wherein steps for preveniiog a further program execution or, 
a program branch leading out of the OTP processor in the 
aforementioned system routine (200) are implemented given 
a lack of authenticity. Steps for further program execution 
within the aforementioned system routine (200) are imple- 5 
men ted given authenticity. 

FIG. 14 shows a flow chart for securing security- 
associated data in a freely accessible memory in an elec- 
tronic postage meter machine. An input for modifying 
window data ensues in step 209-1. The input is displayed in 
step 209-2 and a branch is then made to a first check step 
209-3 from a number of check steps 209-3 through 209-12. 
For example, printing data of the value stamp and other data 
such as, for example, location of the sender, postal area code 
of the sender, etc., those are to be protected against manipu- ^5 
lation on the basis of the method set forth in FIG, 14, are 
located in the extemal program memory (EPROM). The 
check steps allow a branch to one of the steps 2094 through 
209-11 when a different value, slogan, imprint or other data 
were selected during the input. The method affords adequate 
security, even though the MAC is formed only over the 
corresponding to the selection area in the EPROM that 
contains data. \^a a step 209-20 for resetting the loop 
counter, a branch is subsequently made back to step 209-1. 
When all check steps 209-3 through 209-12 have been run ^5 
without modification or, upon the selection of a new value 
or new data, then point e is reached. 

The method disclosed in European Application 0 660 269, 
wherein the check of the program with MAC ensues only 
once at the beginning of the running time of the postage 30 
meter machine, is inventively improved by additional secu- 
rity checks of the individual, subsequently modified window 
data. Advantageously, a subsequent replacement of the 
EPROM data can now be recognized during the running 
time of the operating postage meter machine. A manipula- 35 
tion or insertion of manipulated data at the moment when the 
data are to be read-in is thus rendered impossible. 

Steps 209-10 or 209-11 are set forth in greater detail in 
FIG. 15. When no new input is recognized (step 2090), a 
branch is made back to step 209-20. Before the application 40 
of the MAC, the extemal EPROM data to be secured are 
completely loaded into the memory of the postage meter 
machine (step 2091) and a MAC is subsequently formed 
(step 2092) over this RAM area. In step 2094, this MAC is 
compared to a precalculated MAC (step 2093) that is 45 
deposited at a suitable location, preferably in the external 
EPROM. The advantage of this modification is that only 
those data are employed in the postage meter machine that 
have withstood the security check, since the externally 
accessible EPROM, and thus the data for the check and the 50 
further-processing, are read only once. This procedure pre- 
vents data from being subsequently manipulated (for 
example, by switching the external EPROM) since these 
data are read only once for forming MAC and for further- 
processing. 55 

When the comparison of the just-formed MAC and the 
reference MAC, which is preferably located in the external 
RAM, is negative, then suitable measures can ensue. For the 
purpose of error evaluation and display, a branch is prefer- 
ably made via step 209-13 to step 209-14. The external data 60 
that are not simultaneously required in the postage meter 
machine can be stored in the extemal EPROM memory 
divided according to data sets. This method allows a time- 
saving in the checking of the external data because a MAC 
need only be formed over a sub- area and compared to that 65 
stored in the EPROM, The memory required for the check 
of the MAC in the postage meter machine is thereby reduced 
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in size. When, for example, five external data areas 
(advertising slogan, selective imprints or the like) exist, then 
only one-fifth of the overall data set need be transferred into 
the internal memory (lower memory requirement) and only 
approximately one-fifth of the time is required for forming 
the MAC, A check thus need not ensue over aU four data 
areas. Dependent on the number of data areas to be secured, 
the same number of reference MACs is also located in the 
external memory (EPROM or ROM), In other modifications, 
the MACs can be located in the NV-RAM of the postage 
meter machine or even in the internal ROM of the postage 
meter machine. When the MACs are deposited in the 
internal NV-RAM, this also has the advantage that a non- 
secured external EPROM or ROM can be authorized by 
entering a code into the postage meter machine. As a result 
thereof, no fixed ciphers need be utilized in generating the 
external ROMs. Each postage meter machine can have its 
own cipher available to it for generating the MACs. 

The security of this new method is thus based on the use 
of one or more inaccessible methods (for example, DES) 
and/or one or more inaccessible ciphers for the formation of 
the MAC, these being located in the internal OTP-ROM of 
the postage meter machine. The same ciphers or the same 
methods have also been employed for the MACs stored in 
the ROM in the production of the ROM. 

Given the employment of this method for securing com- 
pressed imprint data, the MAC is formed via the uncom- 
pressed data in the RAM. As a result thereof, a further saving 
in memory space is achieved since compressed and uncom- 
pressed data need not be simultaneously deposited in the 
memory of the postage meter machine. 

In another modificaton, the external data can be present in 
uncompressed form, whereby the data are then directly 
transferred into the internal memory and the MAC is then 
formed over the internal memory or parts thereof. The 
separate securing of the individual imprint parts has, 
additionally, the advantage that the time requirement for 
checking the MAC when selecting an imprint remains low, 
since only those imprint parts that are required at the 
moment are checked. Only one MAC is provided for the 
check of the data in an imprint memory (for example, ROM) 
and every individual imprint (advertising slogan or other 
parts, e.g. postage paid) has its own MAC. 

In addition to imprint data, other data to be introduced 
into the postage meter machine can be secured by this 
method. These data can be located in an extemal ROM, in 
an extemal RAM, in an extemal NV-RAM or on a chip card 
or any combination of the aforementioned. The check again 
ensues only after the transmission of the data into the 
internal memory of the postage meter machine. When it is 
found in step 209-11 that the MACs are not identical, then, 
as in the present instance, the error can be displayed in step 
209-14 and the machine can be subsequently blocked. 
Another possibility, for example when securing imprint data, 
is to print a standard imprint for this instance that indicates 
a manipulation. This imprint can thereby be printed instead 
of or in addition to the manipulated imprint. It is also 
possible to modify a different imprint (data, value) such that 
a manipulation can be recognized. 

Once retrieved, the constant parts of the franking format 
are available constantly decoded in the pixel memory area I 
in the volatile pixel memory 7C. For fast modification of the 
window data, a second memory area B exists in the non- 
volatile main memory 5. 

The data blocks that are entered with a keyboard 2 or via 
an electronic scale 22 that calculates the postage value and 
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is connected to the input/output iinii 4, and which are 
required for generating the input data, are automatically 
stored in the memory area D of the non- volatile main 
memory 5. Moreover, datasets of the sub-memory areas, for 
example By,C, etc. are preserved. It is thus asstired that the 5 
last-entered quantities are also preserved when the postage 
meter machine is shut off, so that the postage value accord- 
ing to the last input before the shut-off of the postage meter 
machine and the date in the date stamp corresponding to the 
current date are automatically prescribed upon power-up. 
When a scale 22 is connected, the postage value is taken 
from the memory area D. A check is carried out in step 401 
to determine whether an input is present. A branch is made 
back to step 209 given a renewed input request in step 401. 

Otherwise, a branch is made to step 405 via the steps 402 
and 404 for incrementing a run counter and for checking the 
number of runs, in order to wait for the print output request. 
The letter to be franked is detected by a letter sensor and, 
thus, a print request is triggered. A branch can thus be made 
to the accounting and printing routine in step 406. When no 20 
print output request in step 405 is present, a branch is made 
back to step 209 (point t). 

When, according to the preferred version shown in FIG. 
5, a branch is now made back to point t and step 301 is 
reached, a communication request can be produced at any 25 
time or some other input can be actuated according to the 
steps for changing data 209, test request 212, register check 
214, as well as input request 401. Steps 401-404 as in the 
version according to FIG. 5, are now executed again. Given 
a predetermined number of runs, a branch is made from step 30 
404 to step 408. The alternative interrogation criteria can be 
interrogated in step 404 in order to set a standby flag in step 
408 when a print output request is not yet present after a 
predetermined time. As already set forth above, the standby 
flag can be interrogated in step 211 following the commu- 35 
nication mode 300. A branch is thus not made to the franking 
mode 400 before the check has shown the full complement 
of all, or of at least selected, programs. 

When a print output request is recognized in step 405, 
further interrogations are actuated in the following steps 409 40 
and 410 as well as in 406. For example, the presence of 
authenticated registered values (FIG. 11) is interrogated in 
step 409 and the reaching of a further item count criterion is 
interrogated in step 410 and the register data used in a 
known way for accounting are interrogated in step 406. As 45 
already set forth with reference to FIG. 10, moreover, a 
securing of selected registers in the NVRAM of the postage 
meter machine is implemented by MAC formation. If the 
predetermined number of f rankings was reached in the 
preceding franking, i.e. the franking number is equal to zero, 50 
a branch is automatically made from step 410 to point e, in 
order to enter into the communication mode 300 so that the 
data central again credits a new, predetermined item number 
S, If, however, the predetermined franking number was not 
yet reached, a branch is made to the calculating and printing 55 
routine in step 406 from step 410, A specific sleeping mode 
counter is initiated to count one further counting step in step 
406, i.e. during the accounting routine ensuing immediately 
before printing. Ukewise, the number of printed letters and 
the current values in the postal registers corresponding to the 60 
input cost center are registered, in non-volatile memories 
5A, SB of the postage meter machine in the accounting 
routine 406 and are available for later evaluation. 

The register values can be interrogated in the display 
mode 215 as needed. It is likewise provided that the register 65 
values or other service data be printed out with the printing 
head of the postage meter machine for accounting or moni- 
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toring purposes. This, for example, can likewise ensue as 
does the normal printing of the franking format, however, a 
different frame is initially selected for the fixed image data 
wherein the variable data corresponding to the register 
values stored in the non-volatile memory NVM 5 or, in the 
cost center memory, are inserted. This can be done similar 
to the maimer disclosed in German published Application 42 
24 955 for the formation and presentation in three multi-hne 
information groups or for a required switching into a cor- 
responding mode. Contrary to the approach of German 
published Apphcation 42 24 955, the data when a rotated 
illustration is requested are already directly deposited in 
rotated form in the volatile memory in a manner as required 
for printing. The time-coosiuning routine of rotating the 
printing data is implemented only once for an additional 
picture element data file in the programming of the EPROM 
at the manufacturer, which only requires more memory 
space but no increased calculating performance in the post- 
age meter machine. 

It is also provided in another modification that variable 
pixel image data are embedded into the other pixel image 
data during printing. Corresponding to the position report 
suppUed by the encoder 13 about the feed of the postal 
matter, or of the paper strip, in relationship to the printer 
module 1, the compressed data are read from the main 
memories 5a and 5Z?, and are converted with the assistance 
of the character memory 9 into a printing image comprising 
binary pixel data, this printing image being likewise stored 
in this decompressed form in the volatile main memory 7. 
Fiurther details may be derived from European Applications 
576 113 and 578 042. 

The pixel memory area in the pixel memory 7 is thus 
provided for the selected decompressed data of the fixed 
parts of the franking format and for the selected decom- 
pressed data of the variable parts of the franking format. The 
actual printing routine (in step 406) ensues after the account- 
ing. 

As proceeds from FIG. 1, the main memory 7 and the 
pixel memory 7 are in communication with the printer 
module 1 via a print controller 14 including a print register 
i^Reg) 15 and output logic. The pixel memory 7 has its 
output side connected to a first input of the printer controller 
14, which has other control inputs at which output signals of 
the microprocessor control unit 6 are present. 

When all colimins of a print image have been printed, a 
branch is made back to the system routine 200. 

Upon transition into the system routine 200 — ^FIG. 3 — , a 
check is first carried out in step 202 following a further step 
201 for data retrieval particularly sleeping mode item num- 
ber data, to determine whether the criteria for entry into the 
sleeping mode are met. When this is the case, a branch is 
made to step 203 in order to display at least one alarm with 
the display unit 3. Further steps 204 through 206 can thereby 
be executed before a branch is made to step 209. When this 
is not the case, however, a branch is likewise made to step 
209. In any case, the point t is reached following the steps. 

After an ensuing new input and input/display routine with 
printing data compilation and retrieval of the reqtured pic- 
ture element data files in step 209, point c, i.e., the beginning 
of a communication mode 300, is now reached assuming 
that no relevant deficiencies were found. To that end, an 
inquiry is made in step 301 to determine whether a trans- 
action request is present. When this is not the case, the 
communication mode 300 is exited at point f, i.e., the 
operating mode 290 is reached. If relevant data were com- 
mimicated in the communication mode, then a branch is to 
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be made to step 213 for the data evaluation. Otherwise, if and/or item number reloading, these having been deposited 

non-communication was foxmd in step 211, a branch is made in encrypted form in the memory. The principle of the 

to step 212. A check is now carried out to determine whether securing concept is shown in FIGS. 12 and 13. 

corresponding inputs have been made in order, given a test An application of the DBS algorithm preferably ensues 
request 212, to proceed into the test mode 216 or into a 5 using the crypto keys required for the remote value pre- 

display mode 215 if a check 214 of the register readings is scription in order to deposit this value in encrypted form, 

intended. When this is not case, point d, i.e, the franking The data transmission of the postage meter machine to the 

mode 400, is automatically reached, data central in the communication mode 300 is likewise 

It is also inventively provided that a statistics and error secured with a DES algorithm, a secret DES crypto key 
evaluation is implemented in step 213 in order to acquire 10 being required for this purpose. This secret DES crypto key 

further current data that can likewise be retrieved in step 201 is formed in the communication mode 300 be decoding the 

after branching to the system routine 200. encrypted crypto keys during the running time of the postage 

When point e, i.e., the beginning of the communication meter machine, i.e., during the communication mode 300, in 

mode 300 set forth below, has been reached, an inquiry is the OTP in order to load a secret crypto key KAct into the 

made in step 301 to determine whether a transaction request internal OTP-RAM. 

is present. This can be made, for example, for reloading FIG. 12 shows the input encryption of the remote value 

credit and item number or for updating other relevant data. prescription DES crypto key K^^ for securing the remote 

The user selects the communication or remote value value prescription DES crypto key K^^ against manipula- 

pfescription mode of the postage meter machine by the input lion* 

of the identification number (8-place postage call number) During manufacture or during service by an authorized 

and via the actuation of the predetermined T-key. When the technician, each postage meter machine receives a fixed 

desired input parameter is properly displayed, this is con- remote value prescription crypto key K^^^ via its user 

firmed by renewed actuation of the predetermined T-key of interface 2, 3 that must be kept hidden in the NVRAM. For 

the input means 2, The input parameter is edited as needed, that purpose, the remote value prescription crypto key is 

Apresentation corresponding to the input then appears in the encrypted in step 60 with the cryptographic function, data 

display unit 3, encryption standard (DES) usmg the secret crypto key 

By actuating the predetermined T-key, the transmission of stored in the OTP-ROM (step 64). The encrypted crypto key 

the input parameter via modem connection is started and the Kp«r is now deposited in the external data memory NVRAM, 

input is checked. The further operation proceeds The steps which must be implemented during the running 

automatically, whereby the execution being accompanied by time of postage meter machine for a remote value prescrip- 

a corresponding display. tion so that the DES crypto key KAct is formed from the 

To that end, the postage meter machine checks whether a encrypted key K^^ value in the external NVRAM, that is 

modem is connected and operational. When this is not the held in the processor-internal RAM for the time of the 
case, a branch is made to step 310 in order to display that the 35 remote value prescription procedure, are shown in FIG. 13. 

transaction request must be repeated. Otherwise, the postage The secret crypto key Kp^^ is taken from the internal 

meter machine reads the selection parameters composed of OTP-ROM (Block 64) and the encrypted crypto key crypt 

the election parameters (main/extension, etc.) and the tele- K^^^ is taken from the NVRAM, Block 60 of FIG, 13 shows 

phone number from a NVRAM memory area F and sends the decoding of the DES crypto key Kj^^^ and a storing in the 

this together with a seleaion request command to the internal OTP-RAM for the remote value prescription in 

modem 23. The call set-up required for the communication Block 65. 

subsequently ensues via the modem 23 to the data central The postage meter machine implements the register check 

station. If a predetermined number (n) of unsuccessful regularly and/or upon power-up and can thus recognize the 

selection repetitions for the purpose of a call set-up occurs, lacking information when the machine had been opened in 
a branch is made back to point e via a display step 310, 45 unauthorized fashion. The postage meter machine is then 

A transaction implemented during the communication blocked, 

with encrypted messages has a prescribed value for a credit The potential manipulator of a postage meter machine 

reloading value that is communicated to the remote data must overcome a number of thresholds, this, of course, 

central; and the transaction implemented during the com- requiring a certain time. When no connection from the 
munication with encrypted messages has a specific item 50 postage meter machine to the data central is set up within 

number S' for a sleeping mode. certain time intervals, the postage meter machine already 

One of the transaction requests leads to a specifically becomes suspect. It is assumed that the person who is guilty 

secured credit reloading in the postage meter machine. The of a manipulation at the postage meter machine vnll not 

securing of the postal registers which are present outside the report to the data central station. 

processor in the cost center memory preferably also ensues 55 The control unit 6 is a microprocessor or an OTP proces- 

during the credit reloading with a time control. When, for sor. In addition to a microprocessor, non-volatile memories 

example, the postage meter machine is operated and further circuits are accommodated in a common housing 

(manipulated) using an emulator/debugger, then it is prob- in the OTP. The internal, non-volatile memory, for example, 

able that the communication and accounting routines will includes program memories and, in particular, also allows 
not sequence within a predetermined time. When this is the 60 the possibihty of setting security bits that prevent the 

case, i.e., the routines require substantially more time, this read-out of the internal non-volatile memory toward the 

would be recognized in the postage meter machine and, outside. These security bits are set in the OTP during the 

consequently, critical memory areas will be irretrievably manufacture of the postage meter machine. Following such 

erased. The postage meter machine is thus prevented from security-associated routines such as, for example, account- 
continuing to operate. 65 ing routines with an emulator/debugger would likewise lead 

Relevant ciphers (crypto keys) are required from the to a modified time execution which can be identified by the 

communication of the data required for a credit reloading OTP processor. This also includes a clock generator/counter 
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circuit for the prescription of time intervals or clodc cycles, i.e., whether the standby mode has been reached. In this 

for example, for the time-out generation or printer control. case, a branch is likewise made to step 213. The advantage 

When a specific time has elapsed and the anticipated event of this method in conjunction with the first mode is that the 

has not occurred, the clock generator/counter circuit gener- manipulation attempt is statistically acquired in step 213. 

ates an interrupt that reports the result-free expiration of the 5 ^^^^^ to further enhance the security against 

time span to the microprocessor, whereupon the micropro- n^anipulations, a flow control is inventively utilized that is 

cesser iniUates farther me^ures^ InvenUvely, the clock ^^^^ ^^^^ ^ ^^^^^ ^^^^^3 ^ modifying a 

generator/counter ^rcuit is utilized for monitormg program ^^^^.^^^ ^^^^ ^ ^ ^ ^^^^ 

runnmg tune. A known number of clock cycles for the . . . r^u *• a^* *u *• 

prograi execution of predetermined program parts is implementation of the program rouUne. After the cxcm 

thereby used. Before the start of the routine, the counter of ^^le program routine, the modified numerica value is 

the clock generator/counter circuit is pre-set or reset in a compared to a predetemiined numerical value allocated to 

predetermined way. After the start of the program routine, program routme. When branchings are executed during 

the counter reading is continuously modified corresponding the program run, different numerical values will result. A 

to the clock pulses of the clock generator. After processing plausibility test is implemented in a following evaluation or 

the critical, predetermined program parts, the status of the a determination can be made as to what branchings were 

counter is interrogated by the microprocessor and is com- executed. This is achieved by the modification of the 

pared to the anticipated value. When a predetermined devia- numerical value ensuing by a multiplication by a specific 

tion in the running time of critical or, respectively, security- prime number allocated to the respective program part. A 

associated program parts is exceeded, the postage meter prime number resolution merely has to be implemented then 

machine can thus no longer be operated for franking (kill 20 in a later evaluation. 

mode 1). When a manipulator performs an unauthorized ^^^^^^ ^^^-^^ ^^^^^-^ ^^y^ those program parts 

operation, the postage meter machme is effecdvely shut ^^hout branchings are taken into consideration or wherein 

down dunng the nmning time by bemg converted into the ^^^^^^^ ^^^^^^^ ^^^^^^^ ^^^^ ^^^^ ^^^^^^^^ 

rs mo e. . , , , . • required, an incrementing of the numerical value and sub- 

nie register readings are checked during an inspecUon. „ ^^^^ comparison to at least one predetermined numerical 

As needed, a test impression with the value 0 can be made. 7 • ,u a , 

^. • r • -X * 11 value is then adequate. 

Given repair by service on site, operations may potentially ^ . . .^^^^ 

be performed on the postage meter machine. The error ^he overall flow chart shown m FIG. 3 for a secunty 

registers, for example, can be read out with the assistance of ^^^^^^ comprises steps 201 through 206 for momtonng 

a specific service EPROM that is plugged-in instead of the 30 ^^^^^ mfrmgement of one of the secunty 

advert-EPROM. If this EPROM plug-in location is not P°^^^g^ "^^^^^ ^^^^"^^ ^ ^^^^P^^S 

accessed by the processor, access to the data lines is pre- ^""^^^ example, when a connection to the data central has 

vented by specific driver circuits (buffers) shown in FIG. 2. ^^^"^ ^^^^ ^ predetermmed item number. 

The data lines, which can be reached through a unsealed The postage meter machine and the data central agree on 

housing door, can thus not be tapped in an unauthorized 35 a predetermined item number s, i.e., the amount that can be 

fashion. Another possibility is to undertake the read-out of franked up to the next communication set-up. When a 

error register data by a service computer connected via an communication does not occur (item number monitoring), 

interface, whereby the interface must then have correspond- the postage meter machine slows down its operations 

ing security measures. (sleeping mode version 1). 

During times in which printing is not carried out (standby 40 Another version provides a constant warning for the 
mode) that an inquiry ensues in view of manipulation impending entry into the sleeping mode step 203. This must 
attempts and/or the checksum of the register readings is be constantly executed in step 202 due to the satisfied 
formed and/or is formed over the content of the program interrogation criterion before step 205 is reached. The step 
memory PSP 11. In order to improve the sectnity against 203 includes a sub-step for error statistics corresponding to 
manipulation, the checksum is thereby formed for a kill 45 Ihe statistics and error evaluation mode 213. 
mode 2 in the OTP over the content of the external program As disclosed in U.S. Pat. No. 3^55,439, the postage meter 
memory PSP 11 and the result is compared to a predeter- machine requests a connection to the data central station, 
mined value stored in the OTP. This preferably ensues in When the connection is set up, the data central station 
step 101 when the postage meter machine is started or in step checks the register readings. When the reloading cannot be 
213 when the postage meter machine is operated in standby 50 undertaken, the data central station prevents further opera- 
mode. The standby mode is reached when a predetermined tion of the postage meter machine with a signal communi- 
time elapses without an input or a print request. The latter cated to the postage meter machine. If the connection arose 
occurs when a letter sensor of a known type — not shown in shortly after the signaling undertaken by the postage meter 
detail — does not identify a next envelope that is to be machine and the register readings are not objected to, the 
franked. Step 405 — shown in FIG. 5 — in the franking mode 55 postage meter machine can be switched back into the 
400 therefore also includes a further inquiry about a time operating mode without another unscheduled inspection. To 
lapse, whereby a time transgression ultimately leads again to this end, new current data, for example for a credit and for 
point e, and thus to the input routine according to step 209. the allowed number of items that can be franked up to the 
When the interrogation criterion is met, a standby flag is set next set up of a connection, are communicated, 
in step 408 and a direct branch is made back to the point s eo On the basis of the signaling code communicated, the data 
to the system routine 200 or the point t without running central can distinguish between automatically undertaken 
through the accounting and printing routine in step 406. The and normal communication. The former will always ensue 
standby flag is interrogated later in step 211 and is reset in when the user of the postage meter machine has overlooked 
step 213 after the checksum check when no manipulation or ignored the requests to communicate and fafls to imple- 
attempl has been recognized. 65 ment appropriate input actions. When this is repeated and 

To this end, the interrogation criterion in step 211 is given suspicion of a manipulation, an unscheduled inspec- 

expanded by determining whether the standby flag is set, tion can thereby be arranged. 
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A return directly to the communication mode 300 point e time span of the postage meter machine slows down in step 

can be made from the franking mode. Other inputs, for 203, whereby this condition is simultaneously reported to 

example according to the steps of test requests 212 or the user of the postage meter machine via the display. 

registercheck214,canalsobeactuated. Only when a branch Procedures similar to those set forth in conjunction with 

is made to the franking mode 400 is a finding made again in 5 FIGS. 2 and 5 can be carried out in the further steps. The 

step 410 corresponding to the decision criterion as to postage meter machine stores both internal and operating 

whether an automatic communication is required. This is ^^rors and manipulation attempts in an error register for 

preferably the case when the predetermined item number has reporting pu^oses, for example up to the number 999. When 

been used cause of the excess number of errors has not been 

* . . ^ , , , eliminated, for example, within an inspection by a service 

When the a)mmunication was successful and data were 10 ^y resetting during a communication with the 

communicated (mterrogated m step 211), step 213 is hke- ^j^ta central station, the reaction time span can be increased 

wise reached. The current data are identified or loaded in further in order to make potential manipulations more dif- 

step 213, this being data retrieved in step 201 and being flcult. The ntmaber of errors then continues to be reported, 

subsequentiy required again during the comparison in step i.e., again up to a predetermined number, for example, in 

202. The decision criterion that is communicated is prefer- 15 s^gp 213. 

ably the new item number S'. In a first version the reaction time span is linearly 
In an alternative version the decision criterion is the new increased, for example the time span until printing opera- 
credit communicated for franking and the new item number begin, with the number of errors. The execution of the 
S' is intemaUy identified in tiie postage meter machine in the program is thereby neitiier modified nor prevented, merely 
evaluation mode 213. In this case, the communication with retarded. In particular, uncritical program parts that are not 
the data central no longer covers the new item number S' but monitored by time supervision (MU mode 1) or flow control 
is only required for triggering the calculation in the evalu- ^re multiply executed such as, for example the error display, 
ation mode 213. The calculation ensues internally in the ^h^ ^^^^^ of tiie program tiius remains essentially unmodi- 
postage meter machine and simultaneously therewith in 

parallel in the data central according to the same methods on ^ second version, the reaction time span is respectively 

the basis of the communicated register data. mcreased by one step, whereby the steps can be seconds. 

The postage meter machine can communicate the follow- «i™tes, houjs, days, . . . etc. 

ing register values to the data central before a credit reload- . f modification or m combination with the aforemen- 

• tioned versions, an increase in the reaction time span can 

„^ , . J. . . . « * . . 30 also be provided given a malfunctioning. An electronic time 

Rl (descending register) remaining amount on hand in the j^^^ ^ ^^^^^^^ ^ ^ embodiment. A 

postage meter machine; . . • • c li 

^J'. ^, , ' , . , progressive increase m the reaction tune span is preferably 

R2 (ascending register) aggregate used amount m the provided in the operating program in order to make a 

postage meter machine; manipulation more difficult. 

R3 (total rescttmg) the previous total prescnbed sum of all 35 step 213 may be executed as a sub-step partially or 

remote value prescriptions; entirely in conjunction with oUier steps. For example, the 

R4 (piece count sum printing with value unequal to 0) statistics and error mode is a component of step 203 and the 

plurahty of valid impressions; and accounting and printing routine according to step 406 in the 

R8 (R4-t-piece count sum printing with value equals 0) franking mode 400 that is shown in greater detail in FIGS. 

plurality of aU impressions. 40 3 and 5. When a serious accounting error occurs, the 

Following therefrom: R3-R2+R1 machine is blocked in step 406. When, however, an error 

Rl can be interrogated and statistically evaluated at every occurs during the initialization phase in step 101, the 

remote value prescription. When Rl becomes continuously machine stops at the point of the error and displays a specific 

larger, then the same reloaded amount can be reloaded at error code. 

larger and larger reloading periods, or the item number that 45 On the other hand, there are serious errors that can only 

is allowed to be franked up to the next communication is set be eliminated on the occasion of the next on site inspection 

lower. by a person authorized to do so. Such an error, for example, 

A postage meter machine profile can be produced on the when the processor cannot access the main memory, i.e., the 

basis of the data associated to a specific postage meter data content of the RAM can neither be read nor modified, 

machine. This postage meter machine profile provides infor- 50 is ehminated, for example, by plugging-in a specific reset- 

mation as to whether a customer was in the position with the EPROM. The seal of the flap and the postage meter machine 

implemented reloading events to carry out the identified must be opened for this purpose. The reset- EPROM receives 

number of franldngs. Two stages are to be distinguished the required data, for example, the corresponding cipher, and 

within the suspicious mode: specific programs for restoring the postage meter machine 

1. Postage meter machine is suspicious; and 55 are executed. For example, such a program can in turn 

2. Postage meter machine must have been manipulated. cancel a reduction in redundancy that has occuned. The 
A plausibility check of all postage meter machines in reporting of the errors that ensues separated according to 

operation is implemented at regular intervals in the data enor types during the operation of the postage meter 

central. In this method, the machines whose franking behav- machine in the statistics and error evaluation mode (step 

ior seems suspicious or that have been manipulated are 60 213) is subsequently thereby checked by the authorized 

identified and reported to the postal authority. Yet another person to see whether a manipulation attempt had been 

security measure (error overflow mode) is potentially pro- undertaken. 

vided in the postage meter machine. This can be imple- Although modifications and changes may be suggested by 

mented in the second mode in addition to or instead of the those skilled in the art, it is the intention of the inventors to 

sleeping mode version 1 or sleeping mode version 2. When 65 embody within the patent warranted hereon all changes and 

the interrogation criterion in step 202 is met, i.e. when a modifications as reasonably and properly come within the 

predetermined number of errors is exceeded, the reaction scope of their contribution to the art. 
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We claim: least one further security check, causing said OTP 

1. A method for securing data and program code in an processor to place said postage meter machine in said 
electronic postage meter machine against manipulation, said first mode wherein franking is prevented, 
electronic postage meter machine having a microprocessor 4. A method for securing data and program code in an 
in a control unit for implementing steps of a start and 5 electronic postage meter machine against manipulation, said 
initialization routine upon tum-on of the postage meter electronic postage meter machine having a microprocessor 
machine and for thereafter implementing a system routine in a control unit for implementing steps of a start and 
including a communication mode with a data central remote initialization routine upon tum-on of the postage meter 
from said postage meter machine and a franking mode machine and for thereafter implementing a system routine 
including an accounting and printing routine in which a lO including a communication mode with a data central remote 
franking amount is printed on a postal item and a debiting of from said postage meter machine and a franking mode 
the franking amount is made, followed by a branch back to including an accounting and printing routine in which a 
a beginning of said system routine, said method comprising franking amount is printed on a postal item and a debiting of 
the steps of: the franking amount is made, followed by a branch back to 

providing an OTP (one time programmable) processor as 15 a beginning of said system routine, said method comprising 
said microprocessor in said control unit and providing ^^^P^ 

a storage medium accessible by said OTP processor in storing an encrypted, first crypto-key in a non-volatUe 
said postage meter machine; memory externally from said OTP processor; 

storing memory contents which may be valid or invalid, storing a second crypto-key and a DES algorithm inter- 
in said storage medium, said memory contents includ- nally within said OTP process; 
ing at least one of data and a program code; decoding said first crypto-key using said second crypto - 

conducting a start security check in said OTP processor, key in said OTP processor to obtain a decoded, first 

upon said tum-on of said postage meter machine, in crypto-key; and 

said start and initialization routine before conducting said OTP processor initiating a communication in said 
said system routine, and in said start security check communication mode in which data are communicated 
forming an MAC (message authentification code) over to said data central, and said OTP processor securing 
atleastaportionof the contents of said storage medium said data in said communication using the decoded, 
and using said MAC to determine the validity or first crypto-key and said DES algorithm, 
invalidity of said contents of said storage medium over 5. A method as claimed in claim 4 comprising the addi- 
which said MAC is formed, using an MAC check sum tional step of additionally securing said data in said com- 
sequence; and munication in said communication mode with an MAC 
said OTP processor transferring said postage meter (message authentification code) fonmed internally over said 
machine into the system routine given validity of said data in said communication in said OTP processor, 
memory contents and transferring the postage meter 35 6. Amethod as claimed in claim 4 wherein the step of said 
machine into a first mode and preventing franking by OTP processor conducting a communication in said corn- 
said postage meter machine in said first mode given municarion mode with said data central comprises prescrib- 
invalidity of said memory contents. ing a value in said OTP processor for a credit reloading and 

2. A method as claimed in claim 1 wherein the step of communicating said value, as said data secured by said 
conducting said start security check includes the steps of: 40 decoded, first crypto-key and said DES algorithm, to said 

storing a predetermined MAC value in a storage medium ^^^^ central. 

external to said postage meter machine; Amethod as claimed m claim 4 wherem the step of said 

J ^ ' J xtA^ 1 c J OTP processor initiating a communication in said commu- 

transmittmg said predetermined MAC value from said . , -.i. j ^ ^ 1 ■ i ^ -j 

^ .J , ^ , - nication mode with said data central includes said OTP 

storage medium external to said postage meter machine . . . . j ■ ^ ^ 

r. , J. J ♦ , u- processor receivmg criterion, encrypted usmg said nist 

to said storage medium m said postage meter machine ^ , , , rUr-o 1 / - ^ r j 

•Li i_ J r^rrrn crvpto-key and said DES algonthm, for causmg entry of said 
accessible by said OTP processor; ^ . , , . , ® j . 

postage meter machine mto a sleeping mode, as said data. 

in said MAC check sum sequence, forming an MAC g ^ method for securing data and program code in an 

check sum in said OTP processor using said MAC electronic postage meter machine against manipulation, said 

formed over at least a portion of the contents of said electronic postage meter machine having a microprocessor 
storage medium; and ^ control unit for implementing steps of a start and 

comparing said MAC check sum in said OTP processor to initialization routine upon tum-on of the postage meter 

said predetermined MAC value at at least one time machine and for thereafter implementing a system routine 

selected from the group consisting of before conducting including a communication mode with a data central remote 

said franking mode, after conducting said franking from said postage meter machine and a franking mode 

mode, in said communication mode, and any time at including an accounting and printing routine in which a 

which said postage meter machine is not printing. franking amount is printed on a postal item and a debiting of 

3. A method as claimed in claim 1 comprising the addi- the franking amount is made, followed by a branch back to 
tional steps of: a beginning of said system routine, said method comprising 

monitoring expiration of a time selected from the group the steps of: 
consisting of a time during which no franking of postal providing an OTP (one time programmable) processor as 
items occurs, and a predetermined number of loops of said microprocessor in said control unit and providing 

said system routine without any input, and upon expi- a storage medium accessible by said OTP processor in 

ration of said time said OTP processor placing said said postage meter machine; 

postage meter machine in a standby mode; and 55 storing memory contents which may be vahd or invalid, 

conducting at least one further security check in said in said storage medium, said memory contents includ- 

standby mode and, if an error is identified in said at ing at least one of data and a program code; 
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conducting a start security check in said OTP processor, 
upon said turn-on of said postage meter machine, in 
said start and initialization routine before conducting 
said system routine, and in said start security check 
forming an MAC (message authentification code) over 5 
at 1 east a portion of the contents of said storage 
mediimi and \ising said MAC to determine the validity 
or invalidity of said contents of said storage medium 
over which said MAC is formed, using an MAC check 
sum sequence; 

said OTP processor transferring said postage meter 
machine into the system routine given validity of said 
memory contents and transferring the postage meter 
machine into a first mode and preventing franking by 
said postage meter machine in said first mode given 
invalidity of said memory contents; and 

storing an encryption algorithm and at least one crypto- 
key associated with said encryption algorithm inter- 
nally in said OTP processor, and said OTP processor 
employing said at least one crypto-key and said encryp- 
tion algorithm for forming said MAC. 

9. A method as claimed in claim 8 wherein the step of 
storing said encryption algorithm comprises storing a DES 
algorithm. 

10. A method for securing data and program code in an 
electronic postage meter machine against manipulation, said 25 
electronic postage meter machine having a microprocessor 

in a control unit for implementing steps of a start and 
initialization routine upon tum-on of the postage meter 
machine and for thereafter implementing a system routine 
including a communication mode with a data central remote 3Q 
firom said postage meter machine and a franking mode 
including an accounting and printing routine in which a 
franking amount is printed on a postal item and a debiting of 
the franking amount is made, followed by a branch back to 
a beginning of said system routine, said method comprising 
the steps of: 

providing an OTP (one time programmable) processor as 
said microprocessor in said control unit and providing 
a storage medium accessible by said OTP processor in 
said postage meter machine; 

storing memory contents which may be valid or invalid, 
in said storage medium, said memory contents includ- 
ing at least one of data and a program code; 

conducting a start security check in said OTP processor, 
upon said tum-on of said postage meter machine, in 45 
said start and initialization routine before conducting 
said system routine, and in said start security check 
forming an MAC (message authentification code) over 
at least a portion of the contents of said storage mediimi 
and using said MAC to determine the validity or 50 
invalidity of said contents of said storage medium over 
which said MAC is formed, using an MAC check simi 
sequence; 

said OTP processor transferring said postage meter 
machine into the system routine given validity of said 55 
memory contents and transferring the postage meter 
machine into a first mode and preventing franking by 
said postage meter machine in said first mode given 
invalidity of said memory contents; 

upon transfer into said system routine, said OTP processor 60 
calling current data and checking said current data with 
at least one decision criterion and, if said decision 
criterion is satisfied, causing said postage meter 
machine to enter into a second mode wherein a warning 
is displayed at said postage meter machine with a 65 
request for initiating a communicatioa with said data 
central; and 
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said OTP processor causing said postage meter machine 
to enter into at least one further mode and said OTP 
processor conducting at least one further security check 
in said at least further mode. 

11. A method as claimed in claim 10 wherein the step of 
implementing at least one further security check comprises 
conducting an authenticity check of values stored in 
accounting registers in said postage meter machine. 

12. A method as claimed in claim 10, wherein the step of 
said OTP processor implementing at least one further secu- 
rity check comprises: 

storing security-related data in a non-volatile memory in 

said postage meter machine; and 
checking said seciu-ity-related data at least before entering 

into said franking mode. 

13. A method as claimed in claim 10 wherein the step of 
said OTP processor implementing at least one further secu- 
rity check comprises the steps of: 

identifying a selected portion of said program code; and 
checking for errors in said selected portion of said pro- 
gram code in said storage medium. 

14. A method as claimed in claim 10 wherein the step of 
said OTP processor conducting at least one further security 
check comprises: 

storing data in an EPROM; and 

checking for authenticity of said data stored in said 
EPROM, 

15. A method as claimed in claim 10 including the 
additional steps of: 

storing an accounting value in said EPROM; and 
determining an accuracy of said accounting value as said 
at least one additional security check. 

16. A method as claimed in claim 15 wherein the step of 
checking the accuracy of said accounting value comprises 
displaying said accoTmting value at said postage meter 
machine. 

17. A method as claimed in claim 15 wherein the step of 
checking the accuracy of said accounting value comprises 
printing out said accounting value using an internal printer 
of said postage meter machine which is also employed for 
said franking said postal items. 

18. A method for securing data and program code in an 
electronic postage meter machine against manipulation, said 
electronic postage meter machine having a microprocessor 
in a control unit for implementing steps of a start and 
initialization routine upon tum-on of the postage meter 
machine and for thereafter implementing a system routine 
including a communication mode with a data central remote 
from said postage meter machine and a franking mode 
including an accounting and printing routine in which a 
franking amount is printed on a postal item and a debiting of 
the franking amount is made, followed by a branch back to 
a beginning of said system routine, said method comprising 
the steps of: 

providing an OTP (one time programmable) processor as 
said microprocessor in said control unit and providing 
a storage medium accessible by said OTP processor in 
said postage meter machine; 

storing memory contents which may be valid or invalid, 
in said storage medium, said memory contents includ- 
ing at least one of data and a program code; 

conducting a start security check in said OTP processor, 
upon said turn-on of said postage meter machine, in 
said start and initialization routine before conducting 
said system routine, and in said start security check 
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formiag an MAC (message authentification code) over 
at least a portion of the contents of said storage medium 
and using said MAC to determine the validity or 
invalidity of said contents of said storage medium over 
which said MAC is formed, using an MAC check sum S 
sequence; 

said OTP processor transferring said postage meter 
machine into the system routine given validity of said 
memory contents and transferring the postage meter 
machine into a first mode and preventing franking by 
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said postage meter machine in said first mode given 
invalidity of said memory contents; and 
said OTP processor, upon return to said system routine, 
entering into a printing data call routine for calling data 
for franking said postal items and conducting at least 
one check for authenticity of said printing data and, 
given an absence of authenticity, entering into a pro- 
gram branch externally from said OTP processor in said 
system routine. 
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